Jump to...

Spring Security Java API Introduction

This quickstart will guide you through the various tasks related to using Auth0-issued JSON Web Tokens to secure your Java Spring Security API.

Seed and Samples

If you prefer to follow along with this quickstart you can download the seed project. The seed project is just a basic Spring Security API.

The final project after each of the steps is also available in the Sample repository. You can find the final result for each step in the relevant folder inside the repository.

Application Keys

When you signed up for Auth0, you were invited to create a new client.

There are some details about this client that your application needs to know about to properly communicate with Auth0. These include your Client ID, Domain, and Client Secret. You can retrieve these values from the settings area for your client in the Auth0 dashboard.

Please note that if you download the samples available for this tutorial, these keys will be pre-populated for you. If you have created more than one client in your account, the sample will come with the values for your Default App.

Configure your Spring Security API

Your Spring Security API needs some information in order to authenticate against your Auth0 account. We have created a file for you but you may need to update some of the entries with the valid values for your Client. The file is /src/main/resources/auth0.properties and it contains the following:

Your auth0 domain. You can find the correct value on the Settings tab of your client on the dashboard. *

auth0.issuer

The issuer of the JWT Token. This is typically your auth0 domain with a https:// prefix and a / suffix. For example, if your auth0.domain is example.auth0.com then the auth0.issuer should be set to https://example.auth0.com/ (the trailing slash is important).

auth0.clientId

The unique identifier for your client. You can find the correct value on the Settings tab of your client on the dashboard. *

auth0.clientSecret

The secret used to sign and validate the tokens that will be used in the different authentication flows. You can find the correct value on the Settings tab of your client on the dashboard. *

auth0.securedRoute

The URL pattern that should map to the URL endpoint you wish to secure. You should replace its value with the correct value for your implementation. It should start with /. *

auth0.base64EncodedSecret

A boolean value indicating whether the Secret used to verify the JWT is base64 encoded. Default is false.

A boolean value that switches having the default config enabled. It should be set to false.

auth0.signingAlgorithm: HS256

Used when you want to use HS256 as a signing algorithm. We will see more on this on the next steps.

#auth0.signingAlgorithm: RS256

Used when you want to use RS256 as a signing algorithm. We will see more on this on the next steps.

#auth0.publicKeyPath: certificate/cert.pem

Indicates the certification in case you use RS256. We will see more on this on the next steps.

NOTE: If you download the seed using our Download Sample button then the domain, clientId and clientSecret attributes will be populated for you, unless you are not logged in or you do not have at least one registered client. In any case you should verify that the values are correct if you have multiple clients in your account and you might want to use another than the one we set the information for. Do not forget to manually set the issuer attribute!

That's all you need to start working with Auth0 in your Spring Security API!